Wide Session Overview
The main session overview provides the largest collection of data provided by Blackbird. Inspired by WPA, it combines event timelines, performance metrics and rows to bring it all together.
Capability
Blackbird
Advanced Windows DFIR Malware Analysis & Detection Platform.
Blackbird is a kernel-backed malware analysis, software reverse-engineering, DFIR platform.
The platform provides EDR level visibility. Blackbird leverages a usermode API hooking sensor, process-instrumentation, ETW, kernel hooking and callbacks, Filter Manager, and more.
The platform is built for malware analysis, live triage, and historical session review. Instead of working directly off heuristics, Blackbird provides as much information surrounding API calls as possible, including arguments to system calls, memory regions, stack frames, disassembly, and more.
The published documentation covers setup, architecture, GUI operation, detections, threat modeling, VM isolation, lifecycle behavior, crash handling, and release review in one Blackbird documentation set.
API Call Analyzer
The API view allows observation of a select set of API calls made by the target process, pulled from both userland & the kernel.
Handles & Child Processes
This view shows descendant execution plus explicit inbound and outbound cross-process handles.
Memory Inspector
The memory inspector shows the target process memory view, including classification, allocator resolution, disassembly and scanning.
Platform Architecture
Full Architecture
IPC And ETW
Kernel Observation
Native API Hook Gate
Process Filter
The process filter is the acquisition point for a session. It mocks task managers process-list and offers opening EXE or DLL files directly.
Thread Stack
The thread stack window shows the selected thread snapshot, stack bounds, RIP/RSP/TEB metadata, resolved frames, general registers, EFLAGS, and DRx state, with live and historical snapshot handling.